CN111008390A - Root key generation protection method and device, solid state disk and storage medium - Google Patents

Root key generation protection method and device, solid state disk and storage medium Download PDF

Info

Publication number
CN111008390A
CN111008390A CN201911285133.7A CN201911285133A CN111008390A CN 111008390 A CN111008390 A CN 111008390A CN 201911285133 A CN201911285133 A CN 201911285133A CN 111008390 A CN111008390 A CN 111008390A
Authority
CN
China
Prior art keywords
root key
user
user password
solid state
state disk
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911285133.7A
Other languages
Chinese (zh)
Inventor
罗影
王鹏
李先强
周海涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Xinsheng Intelligent Technology Co ltd
Original Assignee
Jiangsu Xinsheng Intelligent Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu Xinsheng Intelligent Technology Co ltd filed Critical Jiangsu Xinsheng Intelligent Technology Co ltd
Priority to CN201911285133.7A priority Critical patent/CN111008390A/en
Publication of CN111008390A publication Critical patent/CN111008390A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/72Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/79Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention provides a root key generation protection method, a root key generation protection device, a solid state disk and a storage medium, relates to the field of information security, is applied to the solid state disk, and receives a user identifier and a user password input by a user; the user identification and the user password are used for distinguishing different users; generating a root key according to the user identification and the user password; the user identification, the user password and the root key have corresponding relation; the root key is used for obtaining a ciphertext corresponding to the data protection key; the ciphertext is used for protecting data on the solid state disk. Compared with the prior art, the method and the device can effectively solve the problem that the stored root key is obtained by an attacker bypassing the user identity authentication, so that the root key is leaked, and the safety and the reliability of the data storage of the solid state disk are improved.

Description

Root key generation protection method and device, solid state disk and storage medium
Technical Field
The invention relates to the field of information security, in particular to a root key generation protection method and device, a solid state disk and a storage medium.
Background
With the development of information technology, people pay more and more attention to the security of information, and a Solid State Disk (SSD) also faces more and more strict security requirements as a basic device for implementing secure storage of information.
In the prior art, a root key is usually set in a solid state disk and stored in a fixed form, which has the following disadvantages: the user does not participate in the generation of the root key, and the root key is fixedly stored after being generated, so an attacker can easily bypass the user identity authentication to obtain the stored root key, the root key is leaked, and the safety and the reliability of the data storage of the solid state disk are reduced.
Disclosure of Invention
In view of this, the present invention provides a root key generation protection method, an apparatus, a solid state disk and a storage medium, which are used to solve the problem of root key leakage caused by an attacker bypassing user identity authentication to obtain a stored root key, and improve the security and reliability of SSD data storage.
In order to achieve the above purpose, the embodiment of the present invention adopts the following technical solutions:
in a first aspect, an embodiment of the present invention provides a root key generation protection method, which is applied to a solid state disk, and the method includes: receiving a user identification and a user password input by a user; the user identification and the user password are used for distinguishing different users; generating a root key according to the user identification and the user password; the user identification, the user password and the root key have a corresponding relation; the root key is used for obtaining a ciphertext corresponding to the data protection key; the ciphertext is used for protecting data on the solid state disk.
Optionally, the step of generating the root key according to the user identifier and the user password includes: generating a user password generation parameter according to the user identification and the random number; and generating the root key according to the user password and the user password generation parameter.
Optionally, before the step of generating the user password generation parameter according to the user identifier and the random number, the method further includes: acquiring the random number from a random number generator; writing the random number and the user identification into a system data area of the solid state disk; and the system data area maintains the corresponding relation between the random number and the user identification.
Optionally, the step of generating a root key according to the user password and the user generation parameter includes: generating a root key factor according to the user password and the user generation parameter; synthesizing the root key by the root key factor.
Optionally, the method further comprises: when the user password is changed, obtaining an updated root key according to the user identification and the changed user password; and the updated root key is used for updating the ciphertext corresponding to the data protection key.
Optionally, the method further comprises: and when the user corresponding to the user identification exits from the solid state disk, deleting the root key corresponding to the user identification.
In a second aspect, an embodiment of the present invention provides a root key generation protection apparatus, including a receiving module and a generating module; the receiving module is used for receiving a user identifier and a user password input by a user; the user identification and the user password are used for distinguishing different users; the generating module is used for generating a root key according to the user identification and the user password; the user identification, the user password and the root key have a corresponding relation; the root key is used for obtaining a ciphertext corresponding to the data protection key; the ciphertext is used for protecting data on the solid state disk.
Optionally, the generating module is specifically configured to generate a user password generating parameter according to the user identifier and the random number; the generating module is specifically configured to generate the root key according to the user password and the user password generation parameter.
In a third aspect, an embodiment of the present invention provides a solid state disk, including: one or more processors and memory storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement a root key generation protection method as described in the first aspect.
In a fourth aspect, an embodiment of the present invention provides a storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the root key generation protection method according to the first aspect.
Compared with the prior art, the root key generation protection method, the device, the solid state disk and the storage medium provided by the embodiment of the invention are applied to the solid state disk, and the method comprises the steps of firstly receiving a user identifier and a user password input by a user; the user identification and the user password are used for distinguishing different users; generating a root key according to the user identification and the user password; the user identification, the user password and the root key have corresponding relation; the root key is used for obtaining a ciphertext corresponding to the data protection key; the ciphertext is used for protecting data on the solid state disk. Compared with the prior art, the method uses the user identification information and the user password information in the process of generating the root key, can effectively solve the problem that an attacker bypasses the user identity authentication to obtain the stored root key, thereby causing the leakage of the root key, and improves the safety and the reliability of the SSD data storage.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 is a schematic flow chart of a root key generation protection method according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of another root key generation protection method according to an embodiment of the present invention;
fig. 3 is a schematic flow chart of another root key generation protection method according to an embodiment of the present invention;
fig. 4 is a schematic flow chart of another root key generation protection method according to an embodiment of the present invention;
fig. 5 is a schematic diagram of data for generating a root key factor according to an embodiment of the present invention;
fig. 6 is a schematic data diagram of generating a root key according to an embodiment of the present invention;
fig. 7 is a schematic flow chart of another root key generation protection method according to an embodiment of the present invention;
FIG. 8 is a schematic flow chart diagram of another root key generation protection method provided by an embodiment of the present invention;
fig. 9 is a schematic diagram illustrating a method for performing a function of a solid state drive according to an embodiment of the present invention;
fig. 10 is a functional block diagram of a root key generation protection apparatus according to an embodiment of the present invention;
fig. 11 is a schematic structural diagram of a solid state disk according to an embodiment of the present invention.
Icon: 40-root key generation protection device; 401-a receiving module; 402-a generation module; 50-solid state disk; 501-a communication interface; 502-a processor; 503-memory.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
It is to be noted, however, that the following detailed description of the embodiments of the present invention, which is provided in the accompanying drawings, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
At present, before accessing the solid state disk, a user needs to obtain the authority of data access through authentication. The identity authentication is usually carried out by adopting a password mode when a user logs in, and the authentication is passed when the solid state disk user inputs a correct user password; and if the user password authentication fails, access is denied, and the user passing the identity authentication can read and write the data on the solid state disk.
However, the existing authentication process and the data protection process are independent from each other, and especially the generation process of the root key in the data protection process is independent from each other, so that the root key is stored in a fixed form after being generated, an attacker can easily bypass authentication to obtain the root key, the leakage of the root key is caused, and the security problem of the root key and data on the solid state disk is reduced.
In order to solve the above problems, the present invention provides a root key generation protection method, which is characterized in that user information is associated with the generation of a root key, and when a user needs to access a solid state disk, the root key is generated temporarily without storing the root key, so that the problem of root key leakage can be effectively solved.
For describing the technical solution of the present invention in detail, referring to fig. 1 first, fig. 1 is a schematic flowchart of a root key generation protection method provided by an embodiment of the present invention, where the method includes:
step 201, receiving a user identification and a user password input by a user.
Optionally, the user identifier and the user password are used for distinguishing different users, when a solid state disk user is created, the user identifier and the corresponding user password may be preset, and when the solid state disk user logs in, the preset user identifier and the preset user password may be directly input to perform user authentication.
Alternatively, the user password may be generated by combining upper case letters, lower case letters, numbers, and special symbols, and the length of the user password may satisfy a predetermined length requirement to reduce the probability of successful guessing of the user password by an attacker, for example, assuming that the length of the password is not less than 8 characters, the probability of successful guessing by the attacker in a single time is 95-8The probability of success of single password guessing attack is far less than GM/T0028 'cipher module safety technical requirement', the probability of success of single password guessing attack is not higher than one million, the probability of success guessing by an attacker is effectively reduced, and the safety is improved.
And step 204, generating a root key according to the user identification and the user password.
It can be understood that the user identifier, the user password and the root key have a corresponding relationship, the root key is used for obtaining a ciphertext corresponding to the data protection key, and the ciphertext is used for protecting data on the solid state disk. The data protection key may be generated by generating a random number of a fixed length (for example, 256 bits) by a random number generator, and using the random number as the data protection key, which may be used to protect data on the solid state disk. The root key is generated through the user identification and the user password, so that the problem that the user cannot participate in the key generation process can be solved, the strength of the root key is enhanced, and the safety is improved.
The embodiment of the invention provides a root key generation protection method, which is applied to a solid state disk and comprises the following steps: firstly, receiving a user identification and a user password input by a user; the user identification and the user password are used for distinguishing different users; generating a root key according to the user identification and the user password; the user identification, the user password and the root key have corresponding relation; the root key is used for encrypting and decrypting the data protection key; the root key is used for obtaining a ciphertext corresponding to the data protection key; the method uses the user identification information and the user password information in the process of generating the root key, so that the user can participate in the generation of the root key, meanwhile, the root key generated according to the user identification and the user password does not need to be stored, the problem that an attacker bypasses user identity authentication to obtain the stored root key, the root key is leaked is effectively solved, and the safety and the reliability of SSD data storage are improved.
Optionally, after generating the root key, the data protection key may be encrypted using the root key, for example. The data protection key can be encrypted through an authenticable encryption mechanism of an SM4 algorithm to obtain an encrypted ciphertext containing integrity check, and the ciphertext is stored in a system data area of the solid state disk so as to determine whether a user can access the solid state disk by comparing the correctness of the ciphertext when the user performs data verification, wherein the authenticable encryption mechanism is a cryptographic technique for realizing data confidentiality protection and providing data integrity and data source authentication, and comprises two processing procedures of encryption and decryption.
Optionally, to describe in detail the process of generating the root key according to the user identifier and the user password, a possible implementation is given on the basis of fig. 1, referring to fig. 2, fig. 2 is a schematic flow chart of another root key generation protection method provided by the embodiment of the present invention, and specifically, one possible implementation of step 203 is:
step 204-1, generating a user password generation parameter according to the user identification and the random number.
It can be understood that the user password generation parameter can be obtained by performing association processing on the user identifier and the random number, in other embodiments, the user identifier, the random number and some public information corresponding to the user identifier can be randomly connected in series to generate the user password, and the random number and the random series connection implementation mode ensure the randomness of the root key, thereby greatly increasing the complexity of an attacker attacking the whole system through the rainbow table, and further reducing the possibility of cracking the root key.
And step 204-2, generating a root key according to the user password and the user password generation parameter.
It will be appreciated that with the user password, user password generation parameters, a fixed length (e.g., output length of SM 4: 128 bits) root key can be derived from a root key generation function, which can be in the form of the following relationship:
RK=GMKDF(PWD,T,cLEN)
wherein RK represents a root key; the GMKDF may be represented as a root key generation function, PWD and T may represent a user password and a user password generation parameter, respectively, cLEN may represent the length of the generated root key, and the GMKDF function may use a domestic cryptographic algorithm, for example, the domestic cryptographic algorithm SM 3.
It should be noted that "GMKDF" is used to identify only the root key generation function, and in other scenarios, the root key generation function may be represented by other identifiers, and functions to generate a root key of length chlen through the user identification PWD and the user password generation parameter T.
Optionally, in order to obtain a random number used for generating a user password generation parameter, on the basis of fig. 2, a possible implementation is given, referring to fig. 3, fig. 3 is a schematic flow chart of another root key generation protection method provided by an embodiment of the present invention, specifically, before step 203, the method further includes:
step 202, obtaining a random number from a random number generator.
It can be understood that the random number may be obtained from a random number generator when a solid state disk user is created, and the random number may ensure randomness of the root key, may enhance strength of the root key, and may reduce possibility of cracking the root key.
And step 203, writing the random number and the user identification into a system data area of the solid state disk.
It can be understood that the system data area maintains the corresponding relationship between the random number and the user identifier, and when a user logs in, the corresponding random number can be directly obtained through the input user identifier, so that the user password generation parameter can be generated according to the user identifier and the random number.
Optionally, to describe in detail the process of generating parameters according to the user password and the user password, a possible implementation is given below on the basis of fig. 3, referring to fig. 4, fig. 4 is a schematic flow chart of another root key generation protection method provided by the embodiment of the present invention, where one possible implementation of step 204-2 is:
step 204-2a, obtaining a root key factor according to the user password and the user generation parameter.
Optionally, a root key factor generation process may be executed by using a user password and a user generation parameter, specifically, refer to fig. 5, where fig. 5 is a data schematic diagram of generating a root key factor provided in an embodiment of the present invention, where an implementation manner of the root key factor generation process may be as follows:
Figure BDA0002317765070000091
Figure BDA0002317765070000101
where len represents the number of times of executing the procedure of generating the root key factor, and may also represent the number of generated root key factors, hLen represents the output length of SM3 algorithm, C represents the number of iterations of generating the root key factor, and TS representsiDenotes the ith root key factor, SM3 denotes the national cipher algorithm, int (i) denotes a 32-over-especially large representation of the value i.
It should be noted that, before obtaining the root key factor according to the user password and the user generation parameter, from the perspective of security, in order to prevent the generated root key from being too long and causing a security risk, it may be determined whether the length of the root key is greater than the length output by the preset algorithm, for example, the preset algorithm may be SM3 algorithm, the length hLen output by the SM3 algorithm is 256 bits, when the length kLen of the root key is less than 256 bits, the root key factor generation procedure may be executed, and the number of times len for executing the root key factor generation procedure may be determined according to the length hLen output by the SM3 algorithm and the length kLen of the root key, for example, by calculation
Figure BDA0002317765070000102
Obtaining the value of len, wherein
Figure BDA0002317765070000103
Indicating rounding up.
It should be noted that, in order to ensure that the execution time for generating the root key can meet the requirement, for example, between one hundredth of a second and one second, so that the probability of success of guessing the root key by an attacker is far less than the probability of success of guessing the attack by multiple passwords within one minute as required by the cryptographic module security requirement, the number of iterations for generating the root key factor may be set in the system data area of the solid state disk, for example, the number of iterations may be set to 1000 times, and then the attacker can guess 6000 times at most within one minute, and the maximum probability of success guessing is about 9.0 × 10 "13, which is far less than the probability of success of guessing the attack by multiple passwords within one minute as required by GM/T0028 cryptographic module security requirement, which is not more than one hundred thousand, thereby effectively preventing the possibility of illegally stealing the root key.
Step 204-2b, synthesizing a root key by the root key factor.
Optionally, a plurality of root key factors TS may be obtained through the above embodiments1、TS1、…、TSlenThe root key may then be synthesized from the root key factors, in particular, the root key may be synthesized by the following relation, i.e. RK ═ MSB (TS)1||TS2||...||TSlenkLen), where kLen represents the output root key length, and MSB () represents the leftmost preset length of the fetch string, e.g., MSB (s, len) represents the leftmost len bit length of the fetch string s.
Optionally, a data schematic diagram of generating a root key through the foregoing embodiment is shown in fig. 6, see fig. 6, where fig. 6 is a data schematic diagram of generating a root key provided in an embodiment of the present invention, and a root key may be obtained by executing a root key generation flow shown in fig. 6. In the process of generating the root key, a root key factor for synthesizing the root key is obtained through a user password and a user password generation parameter, and then the root key with a preset length is synthesized through the root key factor.
Optionally, a user who passes authentication may also change a preset user password, and because the user password is associated with generation of a root key, when the user password is changed, the root key corresponding to the user needs to be updated to prevent the user from failing authentication when logging in again, in order to describe in detail a process of changing the root key, on the basis of fig. 1, a possible implementation manner is provided, referring to fig. 7, where fig. 7 is a schematic flow chart of another root key generation protection method provided by the embodiment of the present invention, and the method further includes:
and step 205, when the user password is changed, obtaining an updated root key according to the user identification and the changed user password.
And the updated root key is used for updating the ciphertext corresponding to the data protection key.
It can be understood that the updated root key can encrypt the data protection key to obtain an updated ciphertext, the updated ciphertext is written into a storage space of the ciphertext in the system data area in a covering manner to complete updating of the ciphertext, and after the user password is changed, the root key is regenerated to update the ciphertext, so that the user can be effectively prevented from failing to pass identity verification when logging in again.
Optionally, when a user logs out of the solid state disk, in order to prevent the root key from being leaked, a possible implementation manner is given on the basis of fig. 1, referring to fig. 8, where fig. 8 is a schematic flowchart of another root key generation protection method provided by the embodiment of the present invention, and the method further includes:
and step 206, when the user corresponding to the user identifier exits from the solid state disk, deleting the root key corresponding to the user identifier.
Optionally, to further elaborate the technical solution of the present invention in detail, the root key generation protection method provided by the present invention is applied to a specific solid state disk function, specifically, refer to fig. 9, where fig. 9 is a schematic diagram of executing the solid state disk function provided by the embodiment of the present invention.
In the process of executing the function of creating a user by the solid state disk, executing a root key generation protection method according to the received user identifier, the initial password and the obtained internally stored SM4 algorithm output length parameter cLEN, specifically comprising the following steps:
step 1: user password generation parameters are generated.
Specifically, a random number R is obtained from a random number generator, where R is not less than 128 bits, the user identifier UID and the random number R are written into a system data area of the solid state disk, and a user password generation parameter T is generated, where T may be a series connection of the user identifier UID, the random number R, and other public information.
Step 2: a root key RK is generated.
Specifically, using the user password PWD and the user password generation parameter T, the root key generation flow shown in fig. 6 is executed to obtain the root key RK with a length cLEN, that is, RK ═ GMKDF (PWD, T, cLEN).
And step 3: a data protection key DK is generated.
Specifically, a 256-bit random number is obtained from a random number generator as a data protection key DK, and an authenticatable encryption mechanism using an SM4 algorithm encrypts the data protection key DK through a root key RK to obtain a ciphertext DKC containing integrity check, that is, the DKC is SM4-AE-ENCRK(DK) storing the ciphertext DKC into the system data area, SM4-AE-ENC indicating that the cryptographic algorithm SM4 employs an authenticated encryption mode to encrypt the data protection key.
It can be understood that, when the user creating function is executed, the root key is temporarily generated according to the user identifier and the user password, the generated root key plays a role in encrypting the data protection key and obtaining a ciphertext, the ciphertext is stored in the system data area of the solid state disk, and the root key does not need to be stored.
And in the process of executing the functions of user login and identity authentication by the solid state disk, the solid state disk generates a root key according to the acquired user identification and the user password, decrypts the ciphertext of the data protection key of the system data area by using the root key, if the decryption is successful, the identity authentication is successful, otherwise, the identity authentication is failed. The method comprises the following specific steps:
step 1: and acquiring user password generation parameters.
Specifically, the random number R corresponding to the user is read from the system storage area, and then the user password generation parameter T is generated according to the user identifier and the random number.
Step 2: a root key RK is generated.
Specifically, the root key generation procedure shown in fig. 6 may be executed by using the user password PWD and the user password generation parameter T to obtain the root key RK with a length cLEN, that is, the root key RK is obtained by using a relation RK ═ GMKDF (PWD, T, cLEN).
And step 3: and decrypting to obtain the data protection key DK.
In particular, the data protection key ciphertext DKC may be decrypted using the SM4 algorithm authentication encryption mechanism SM4-AE-DEC, i.e., DK-SM 4-AE-DECRK(DKC), wherein SM4-AE-DEC shows that the cryptographic algorithm SM4 adopts an authentication encryption mode to decrypt the data protection key, if the decryption is successful, the login is successful, the data protection key DK is obtained, and if the decryption is failed, the login failure is returned.
It can be understood that, when the user logs in and performs authentication, the root key is obtained in a temporary generation manner, and the root key is used for decrypting the ciphertext of the data protection key to perform authentication.
In some scenarios, when a user wants to write data into the solid state disk, the user can encrypt the data written by the user by using a data protection key in a disk encryption mode (e.g., an XTS mode) of an SM4 algorithm to obtain a ciphertext and store the ciphertext into a disk; in other scenes, when a user reads data from the solid state disk, a ciphertext of the data required by the user and stored in the disk can be obtained first, then the ciphertext is decrypted by using the data protection key in the XTS mode to obtain a plaintext, and the data required to be read is obtained according to the plaintext.
Similarly, a user who passes identity authentication can also change a user password, and in the process of executing the function of changing the user password, the solid state disk firstly obtains a data protection key corresponding to the user, then regenerates a root key according to the user identification and a new user password, encrypts the data protection key by using the regenerated root key, and updates the ciphertext of the data protection key, wherein the specific implementation mode is as follows:
step 1: a data protection key DK is obtained.
Specifically, if the user is already in the login state, the data protection key DK resides in the system memory. Otherwise, logging in again to obtain the data protection key DK.
Step 2: a new root key is generated.
Specifically, the root key generation flow shown in fig. 6 is executed using the user NEW password PWD _ NEW and the user password generation parameter T to obtain a NEW root key RK _ NEW with a length cLEN, that is, RK _ NEW ═ GMKDF (PWD _ NEW, T, cLEN).
And step 3: and updating the data protection key ciphertext.
Specifically, an authenticatable encryption mechanism SM4-AE-ENC using the SM4 algorithm encrypts the data protection key DK through the NEW root key RK _ NEW to obtain a ciphertext DKC _ NEW containing an integrity check, that is: DKC _ NEW ═ SM4-AE-ENCRK_NEW(DK), the ciphertext DKC _ NEW overwrites the DKC of the system data area.
It will be appreciated that during the course of making a user password change, the root key also takes the form of a temporary generation of a cryptogram whose role is to update the data protection key.
It is understood that, in some scenarios, after the user creation is completed, the created user may be destroyed directly, and similarly, in other scenarios, after the user completes login, the user may log out directly without any operation, so that in the process of performing the function of logging out and destroying the user by the solid state disk, information stored by the user may be erased from the system data area according to the user identifier corresponding to the user, where the information may be a ciphertext of the data protection key, the user identifier, and a random number corresponding to the user identifier, and the erasing method may be BMB21-2007, DOD522022M, Gutmann erasing method, and the like.
It can be seen from the above embodiments that the root key is not stored in the solid state disk in a fixed form, but is obtained in a temporary generation manner, and in the process of temporarily generating the key, the user identifier and the user password are taken into consideration, so that the problem that an attacker easily bypasses user identity authentication to obtain the stored root key can be effectively solved, leakage of the root key is prevented, and the security and reliability of the SSD data storage are improved.
In order to execute corresponding steps in the foregoing embodiment and various possible manners to achieve corresponding technical effects, an implementation manner of the drone is provided below, referring to fig. 10, where fig. 10 is a functional block diagram of a root key generation protection device provided in an embodiment of the present invention. It should be noted that the basic principle and the resulting technical effect of the root key generation protection device provided by the present embodiment are the same as those of the above embodiments, and for the sake of brief description, no part of the present embodiment is mentioned, and reference may be made to the corresponding contents in the above embodiments. The root key generation protection apparatus 40 includes: a receiving module 401 and a generating module 402.
A receiving module 401, configured to receive a user identifier and a user password input by a user.
Optionally, the user identifier and the user password are used to distinguish different users.
A generating module 402, configured to generate a root key according to the user identifier and the user password.
Optionally, the user identifier, the user password and the root key have a corresponding relationship, and the root key is used for obtaining a ciphertext corresponding to the data protection key; the ciphertext is used for protecting data on the solid state disk.
It is understood that the receiving module 401 and the generating module 402 may perform step 201 and step 204 in cooperation to achieve a corresponding technical effect.
Optionally, the generating module 402 is specifically configured to generate a user password generating parameter according to the user identifier and the random number; and is further specifically configured to generate a root key based on the user password and the user password generation parameter.
It is to be appreciated that the generation module 402 may also perform steps 204-1, 204-2 to achieve corresponding technical effects.
Optionally, the root key generation protection device 40 further includes an obtaining module and a storage module, where the obtaining module is configured to obtain the random number from the random number generator; the storage module is used for writing the random number and the user identification into a system data area of the solid state disk, and the system data area maintains the corresponding relation between the random number and the user identification.
It will be appreciated that the acquisition module and the storage module may be adapted to perform step 202 and step 203 to achieve a corresponding technical effect.
Optionally, the generating module 402 may further generate a root key factor according to the user password and the user generation parameter, and synthesize a root key by the root key factor.
It is to be appreciated that the generation module 402 can be configured to perform the steps 204-2a and 204-2b to achieve a corresponding technical effect.
Optionally, the generating module 402 is further configured to, when the user password is changed, obtain an updated root key according to the user identifier and the changed user password, where the updated root key is used to update a ciphertext corresponding to the data protection key.
It is to be appreciated that the generation module 402 can be utilized to perform step 205 to achieve a corresponding technical effect.
Optionally, the root key generation protection apparatus 40 further includes a deletion module, and the deletion module may delete the root key corresponding to the user identifier when the user corresponding to the user identifier exits from the solid state disk.
It is to be appreciated that the deletion module can be utilized to perform step 206 to achieve a corresponding technical effect.
Referring to fig. 11, fig. 11 is a structural diagram of a solid state disk provided in an embodiment of the present invention, where the solid state disk 50 includes a communication interface 501, a processor 502, and a memory 503, where the processor 502 may be a main control chip and is used to execute a root key generation protection method, and the memory 503 stores machine executable instructions that can be executed by the processor, where the machine executable instructions are executable to implement the root key generation protection method in the foregoing embodiment.
Alternatively, the modules may be stored in the form of software or Firmware (Firmware) in the memory of the solid state disk, and may be executed by the processor of the solid state disk. Meanwhile, data, codes of programs, and the like required to execute the above modules may be stored in the memory of the solid state disk.
The embodiment of the present invention provides a storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the root key generation protection method according to any of the foregoing embodiments, and the storage medium may be, but is not limited to, various media that can store program codes, such as a usb disk, a removable hard disk, a ROM, a RAM, a PROM, an EPROM, an EEPROM, a magnetic disk, or an optical disk.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
In the description of the present invention, it should also be noted that, unless otherwise explicitly specified or limited, the terms "disposed" and "connected" are to be interpreted broadly, e.g., as being either fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned.

Claims (10)

1. A root key generation protection method is applied to a solid state disk, and comprises the following steps:
receiving a user identification and a user password input by a user; the user identification and the user password are used for distinguishing different users;
generating a root key according to the user identification and the user password; the user identification, the user password and the root key have a corresponding relation; the root key is used for obtaining a ciphertext corresponding to the data protection key; the ciphertext is used for protecting data on the solid state disk.
2. The method for root key generation protection according to claim 1, wherein the step of generating a root key based on a user identifier and a user password comprises:
generating a user password generation parameter according to the user identification and the random number;
and generating the root key according to the user password and the user password generation parameter.
3. The root key generation protection method of claim 2, wherein prior to the step of generating the user password generation parameter from the user identification and a random number, the method further comprises:
acquiring the random number from a random number generator;
writing the random number and the user identification into a system data area of the solid state disk; and the system data area maintains the corresponding relation between the random number and the user identification.
4. The method of claim 3, wherein the step of generating a root key based on the user password and the user generated parameter comprises:
generating a root key factor according to the user password and the user generation parameter;
synthesizing the root key by the root key factor.
5. The root key generation protection method of claim 1, further comprising:
when the user password is changed, obtaining an updated root key according to the user identification and the changed user password; and the updated root key is used for updating the ciphertext corresponding to the data protection key.
6. The root key generation protection method of claim 1, further comprising:
and when the user corresponding to the user identification exits from the solid state disk, deleting the root key corresponding to the user identification.
7. A root key generation protection apparatus, comprising: a receiving module and a generating module;
the receiving module is used for receiving a user identifier and a user password input by a user; the user identification and the user password are used for distinguishing different users;
the generating module is used for generating a root key according to the user identification and the user password; the user identification, the user password and the root key have a corresponding relation; the root key is used for obtaining a ciphertext corresponding to the data protection key; the ciphertext is used for protecting data on the solid state disk.
8. The root key generation protection device of claim 7,
the generation module is specifically used for generating a user password generation parameter according to the user identifier and the random number;
the generating module is specifically configured to generate the root key according to the user password and the user password generation parameter.
9. A solid state disk, comprising:
one or more processors;
memory storing one or more programs that, when executed by the one or more processors, cause the one or more processors to implement the root key generation protection method of any of claims 1-6.
10. A storage medium having stored thereon a computer program, characterized in that the computer program, when being executed by a processor, implements a root key generation protection method according to any one of claims 1-6.
CN201911285133.7A 2019-12-13 2019-12-13 Root key generation protection method and device, solid state disk and storage medium Pending CN111008390A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911285133.7A CN111008390A (en) 2019-12-13 2019-12-13 Root key generation protection method and device, solid state disk and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911285133.7A CN111008390A (en) 2019-12-13 2019-12-13 Root key generation protection method and device, solid state disk and storage medium

Publications (1)

Publication Number Publication Date
CN111008390A true CN111008390A (en) 2020-04-14

Family

ID=70114578

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911285133.7A Pending CN111008390A (en) 2019-12-13 2019-12-13 Root key generation protection method and device, solid state disk and storage medium

Country Status (1)

Country Link
CN (1) CN111008390A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111541550A (en) * 2020-05-11 2020-08-14 卡瓦科尔牙科医疗器械(苏州)有限公司 Secret key generation method of dental medical information system
CN112257121A (en) * 2020-10-20 2021-01-22 湖南国科微电子股份有限公司 Encryption method, decryption method, electronic device, and storage medium
CN112464211A (en) * 2020-12-21 2021-03-09 合肥大唐存储科技有限公司 Method for verifying information in solid state disk, solid state disk and server
CN114091088A (en) * 2022-01-18 2022-02-25 云丁网络技术(北京)有限公司 Method and apparatus for improving communication security
CN114285554A (en) * 2021-12-15 2022-04-05 廊坊市新奥能源有限公司 Key generation method and device based on equipment identification and computer readable medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104639332A (en) * 2015-02-25 2015-05-20 山东超越数控电子有限公司 Protective method for solid-state disk encryption key
CN104852891A (en) * 2014-02-19 2015-08-19 华为技术有限公司 Secret key generation method, equipment and system
CN108449178A (en) * 2018-03-26 2018-08-24 北京豆荚科技有限公司 The generation method of root key in a kind of secure and trusted performing environment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104852891A (en) * 2014-02-19 2015-08-19 华为技术有限公司 Secret key generation method, equipment and system
CN104639332A (en) * 2015-02-25 2015-05-20 山东超越数控电子有限公司 Protective method for solid-state disk encryption key
CN108449178A (en) * 2018-03-26 2018-08-24 北京豆荚科技有限公司 The generation method of root key in a kind of secure and trusted performing environment

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111541550A (en) * 2020-05-11 2020-08-14 卡瓦科尔牙科医疗器械(苏州)有限公司 Secret key generation method of dental medical information system
CN112257121A (en) * 2020-10-20 2021-01-22 湖南国科微电子股份有限公司 Encryption method, decryption method, electronic device, and storage medium
CN112464211A (en) * 2020-12-21 2021-03-09 合肥大唐存储科技有限公司 Method for verifying information in solid state disk, solid state disk and server
CN114285554A (en) * 2021-12-15 2022-04-05 廊坊市新奥能源有限公司 Key generation method and device based on equipment identification and computer readable medium
CN114091088A (en) * 2022-01-18 2022-02-25 云丁网络技术(北京)有限公司 Method and apparatus for improving communication security
CN114091088B (en) * 2022-01-18 2022-09-06 云丁网络技术(北京)有限公司 Method and apparatus for improving communication security

Similar Documents

Publication Publication Date Title
CN111008390A (en) Root key generation protection method and device, solid state disk and storage medium
US9673975B1 (en) Cryptographic key splitting for offline and online data protection
CN111723383B (en) Data storage and verification method and device
US9286466B2 (en) Registration and authentication of computing devices using a digital skeleton key
JP3613921B2 (en) Access credential authentication apparatus and method
US9043610B2 (en) Systems and methods for data security
KR20030057565A (en) Anti-spoofing password protection
JP5052878B2 (en) Storage device and user authentication method
CN109190401A (en) A kind of date storage method, device and the associated component of Qemu virtual credible root
WO2007006689A1 (en) Generating a secret key from an asymmetric private key
CN102163267A (en) Solid state disk as well as method and device for secure access control thereof
CN106100851B (en) Password management system, intelligent wristwatch and its cipher management method
CN110233729B (en) Encrypted solid-state disk key management method based on PUF
EP2689367B1 (en) Data protection using distributed security key
CN108574578A (en) A kind of black box data protection system and method
CN114297673A (en) Password verification method, solid state disk and upper computer
Lee et al. A secure solution for USB flash drives using FAT file system structure
CN107070648A (en) A kind of cryptographic key protection method and PKI system
CN108985079B (en) Data verification method and verification system
JP2017079419A (en) Server authentication system, terminal, server, server authentication method, program
JPH09106445A (en) Key changing method for information recording medium and information recording medium
Lee et al. The study on the security solutions of USB memory
CN117811734B (en) Service source code encryption storage and evaluation and authentication method
CN113454968B (en) Method and system for secure transactions
Stamm Passwords and Authentication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200414